Group Policy Blog by Darren Mar-Elia (The “GPOGUY”)
Quirks in Restricted Groups Policy on AD Groups
About a year ago, I posted about the perils of granting someone write access on the Active Directory Domain NC "head" object, and how you could use that and some quirks in Restricted Groups policy to essentially elevate your access in AD, just based on being able to...
Understanding the Registry Policy Archive File
One of the advantages of messing around with Group Policy since before it shipped, is that there is a lot of stuff rattling around in my head that I've been re-thinking in the context of today's modern threat landscape. This allows me to think about current day...
Hijacking Administrative Templates
As I think about Group Policy as a target for attackers, there are many obvious avenues to take advantage of a poorly protected GP infrastructure. I've written about many of these here:...
What Does Group Policy Do When It Can’t Contact a DC?
The title of this blog tells it all. I got asked the question--what happens to GP processing when a client machine isn't on the network and can't connect to it's domain Domain Controllers (DCs)? Does policy get removed? Does it just stay where it is? Can I temporarily...
Sending GPOs Down the Wrong Track–Redirecting the GPT
At this blog title implies, this is a bit of a science experiment. Many years ago I played around with this idea that, there is nothing in the GP infrastructure that REQUIRES you to use SYSVOL to store the settings files that compose most in-the-box policy areas. At...
Group Policy Security– Tinkering with External Paths
If you've been following this blog, you know that about 2 and half years ago, I started talking about Group Policy's precarious role in the typical enterprise's security posture. Many, if not most, AD shops use GP to perform security hardening on their Windows...
Speaking in Chicago Next Month!
Hey folks! Just a quick note that I'm giving a talk next month in Chicago. This is a follow-on to the Semperis Hybrid Identity Protection (HIP) Conference that I spoke at last November. This Chicago "Tech Day" event is a one-day event on March 13th in downtown...
Group Policy Storage Whitepaper Updated!
Hey Folks. It's been too long since I posted here, so I thought I'd break my fast by posting something a bit meaty. Many moons ago, I created a whitepaper, which is on the Gpoguy portion of this site, that described how and where the various areas in Group Policy...
Elevating AD Domain Access With Write Access on the Domain NC Head
With this post and my last post, I guess I'm on a path of finding interesting ways to "break" AD. The last post related to AD denial of service and this one relates to an interesting way to get to privileged access on AD by gaining what would seem to be completely...
Performing a Denial of Service on AD–How Hard Is it Really?
I was motivated to write this post based on a vendor blog that I read recently, that talked about ways to maliciously perform what amounted to a denial of service attack on AD. Ostensibly the post was designed to sell software, which I don't begrudge, but it got me...